RELENG_5 ipfw problem

From: Oliver Brandmueller <ob_at_e-Gitt.NET>
Date: Fri, 27 Aug 2004 10:43:06 +0200
Hi,

I upgraded from a -CURRENT as of about 1.5 or 2 months ago to RELENG_5 
and do now have a problem with ipfw:

FreeBSD champagne.eusc.inter.net 5.3-BETA1 FreeBSD 5.3-BETA1 #6:
	Fri Aug 27 09:35:33 CEST 2004
	root_at_champagne.eusc.inter.net:/usr/obj/usr/src/sys/CHAMPAGNE  i386

ipfw is running and loads it's rules just fine:

champagne# ipfw show
00100 1286 106440 allow ip from 127.0.0.0/8 to 127.0.0.0/8
00200  840  36960 fwd 192.168.25.1 tcp from 192.168.25.5 25 to 213.XXX.XXX.X/24
00300    0      0 reset tcp from me to 213.XXX.XXX.XXX dst-port 25
00400    0      0 reset tcp from me to 203.XXX.XXX.XXX/24 dst-port 25
00500 5221 559882 allow ip from any to any
65535    0      0 deny ip from any to any

My problem is with rule 200:

It's there, ipfw shows matches. But the packets don't get forwarded. The 
rule is unchanged from the setup before and is working on other systems.

ipfw is loaded as a module.

I use SCHED_4BSD

the kernel has these options (which might be related):

options         PFIL_HOOKS              # pfil(9) framework
options         ADAPTIVE_GIANT          # Giant mutex is adaptive.

I added PFIL_HOOKS to the kernel (I think ipfw wouldn't work at all, if 
I didn't) and ADAPTIVE_GIANT (as suggested here and in GENERIC). The 
machine is a Dual Xeon 2.4 GHz wit HTT (currently) disabled.

The machine has two interfaces:

fxp0 with 192.168.25.5/24
em0  with 213.XXX.XXX.XXX (same network as in rule 200)

The setup is a local load balancing, so there are connects coming from 
the official network to port 25 (loadbalanced) at 192.168.25.5 (the 
machines actually connect to an IP in the official net, which gets 
balanced to 192.168.25.x). The forwarding rule is needed, because 
routing to the connecting IP would be through the em0 interface and 
translation by the loadbalancer would be circumvented then.

connection to port 25 is possible from a 192.168.25.x IP directly, but 
if I enable this host on the load balancer, I do only see incoming 
packets to port 25 on fxp0 but don't see any packets going back (on 
neither fxp0 now em0 not even lo0). The forwarded packets simply 
disappear.

- Oliver

-- 
| Oliver Brandmueller | Offenbacher Str. 1  | Germany       D-14197 Berlin |
| Fon +49-172-3130856 | Fax +49-172-3145027 | WWW:   http://the.addict.de/ |
|               Ich bin das Internet. Sowahr ich Gott helfe.               |
| Eine gewerbliche Nutzung aller enthaltenen Adressen ist nicht gestattet! |
Received on Fri Aug 27 2004 - 06:43:09 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:08 UTC